By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,084 Members | 1,956 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,084 IT Pros & Developers. It's quick & easy.

search with php on my site problem

P: 22
hi every one I have a problem with my search on my site I don't understand why it give me this error

this is my form code

Expand|Select|Wrap|Line Numbers
  1. <form action="index.php?cat=search_results&learn_id=1" method="post">
  2.       <div id="topSearchBodyStyle">
  3.         <input type="text" name="search" class="topSearchTextBackground" />
  4.       </div>
  5.       <div id="topSearchButtonStyle">
  6.         <input type="submit" name="submit" class="topSearchButtonBackground" value="" />
  7.       </div>
  8.     </form>
and this is the page which have the php code

Expand|Select|Wrap|Line Numbers
  1. <?php 
  2.  
  3.     $getSearch = $_POST['search'];
  4.     trim($getSearch);
  5.  
  6.     if(!get_magic_quotes_gpc()) {
  7.         $getSearch = addslashes($getSearch);
  8.         }
  9.  
  10.     $connectToDb = "select * from tutorials where tutorial_title like '%.$getSearch.%'"; 
  11.     $searchResults = $db->query($connectToDb) or die($db->error);
  12.     if ($searchResults){
  13.         $numResultas = $searchResults ->num_rows;
  14.         echo "<p>Found : " . $numResultas . "</p>";
  15.         while($row = mysqli_fetch_array($searchResults)) {
  16.  
  17.             echo $row['tutorial_title'];    
  18.         }
  19.     }else{
  20.         echo "cant connect";
  21.         }
  22. ?>

any idea why it give me this note about "Undefined index: search" and why the results come "0"

Thanks for you all.
Apr 6 '12 #1

✓ answered by Atli

Hey.

Your SQL query string would be the problem:
Expand|Select|Wrap|Line Numbers
  1. "select * from tutorials where tutorial_title like '%.$getSearch.%'"
  2.  
More specifically, this part: '%.$getSearch.%'

The end result, assuming $getSearch turns out to be, say: "hello world", would be:
Expand|Select|Wrap|Line Numbers
  1. "select * from tutorials where tutorial_title like '%.hello world.%'"
  2.  
Do you see the problem there? The two dots, which you probably meant to be used to concat the variable to the string, are actually a part of the string and are therefore corrupting the search terms.

You need to remove the dots, or close the string before and after them.


Also, on another topic. The addslashes function is NOT enough to properly escape user input that is going into a MySQL query. Rather than checking if magic quotes are disabled and adding slashes, you should be checking whether it is ON and removing the slashes. - The magic_quotes feature has already been removed from the latest PHP version, PHP 5.4. It shouldn't be used.

To properly escape user input bound for a MySQL query, use either the mysql_real_escape_string function if you are are using the old MySQL extension, or the mysqli::real_escape_string method/function if you are using the Improved MySQL extension.

Or better yet, if you are using the Improved MySQL extension or PDO, use prepared statements instead. They are FAR safer than escaping the input.

Share this Question
Share on Google+
2 Replies


Atli
Expert 5K+
P: 5,058
Hey.

Your SQL query string would be the problem:
Expand|Select|Wrap|Line Numbers
  1. "select * from tutorials where tutorial_title like '%.$getSearch.%'"
  2.  
More specifically, this part: '%.$getSearch.%'

The end result, assuming $getSearch turns out to be, say: "hello world", would be:
Expand|Select|Wrap|Line Numbers
  1. "select * from tutorials where tutorial_title like '%.hello world.%'"
  2.  
Do you see the problem there? The two dots, which you probably meant to be used to concat the variable to the string, are actually a part of the string and are therefore corrupting the search terms.

You need to remove the dots, or close the string before and after them.


Also, on another topic. The addslashes function is NOT enough to properly escape user input that is going into a MySQL query. Rather than checking if magic quotes are disabled and adding slashes, you should be checking whether it is ON and removing the slashes. - The magic_quotes feature has already been removed from the latest PHP version, PHP 5.4. It shouldn't be used.

To properly escape user input bound for a MySQL query, use either the mysql_real_escape_string function if you are are using the old MySQL extension, or the mysqli::real_escape_string method/function if you are using the Improved MySQL extension.

Or better yet, if you are using the Improved MySQL extension or PDO, use prepared statements instead. They are FAR safer than escaping the input.
Apr 7 '12 #2

P: 22
Thanks a lot for you brother Atli happy that I got your replay first I have fixed my Mysqli query from two days but I didn't take care about addslashes and magic_quotes Thanks a lot for the information I have updated my code to be some thing like that.

Expand|Select|Wrap|Line Numbers
  1. $getSearch = clean_text($_POST['search']);
and the function will be this.

Expand|Select|Wrap|Line Numbers
  1. function clean_text($text='')
  2.  
  3.             {
  4.                 $text=trim($text);
  5.                 $text=strip_tags($text);
  6.                 $text=addslashes($text);
  7.                 $text=htmlspecialchars($text);    
  8.             return $text;
  9.             }
thanks for replaying to me and thanks a lot for the info.

regards
Yousef Altaf
Apr 7 '12 #3

Post your reply

Sign in to post your reply or Sign up for a free account.